问题
I have my website(Azure App Service) deployed in two regions under Microsoft Azure .
https://abcd1-westus.azurewebsites.net/
https://abcd2-centralus.azurewebsites.net/
I created a Traffic Manager Profile to control the distribution of user traffic for service endpoints. The DNS Name of Traffic Manager Profile is "http://abcd.trafficmanager.net"
Authentication is done by Azure AD .
Once we are trying to access Traffic Manager DNS Url , it prompts for AAD login and redirect to https://abcd2.azurewebsites.net and the yellow page error comes up
"IDX10311: RequireNonce is 'true' (default) but validationContext.Nonce is null. A nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'."
If I open individual website url it works perfectly. I have used the below code in StartUp.Auth.cs. I am using Microsoft.Owin.Security.OpenIdConnect , Version 3.1.0.0
public partial class Startup
{
string secretKey = ConfigurationManager.AppSettings["AppKey"];
string clientId = ConfigurationManager.AppSettings["ClientId"];
string authority = ConfigurationManager.AppSettings["Authority"];
string resource = ConfigurationManager.AppSettings["Resource"];
string redirectUri = ConfigurationManager.AppSettings["RedirectUri"];
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
RedirectToIdentityProvider = async n => {
n.ProtocolMessage.RedirectUri = n.OwinContext.Request.Uri.ToString();
},
AuthorizationCodeReceived = OnAuthorizationCodeReceived
}
});
}
private async Task OnAuthorizationCodeReceived(AuthorizationCodeReceivedNotification context)
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, secretKey);
string userObjectID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
AuthenticationContext authContext = new AuthenticationContext(authority, new NaiveSessionCache(userObjectID));
Uri uri = new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(code, uri, credential, resource);
}
}
Please help me to resolve this issue. Production is close :(
回答1:
The problem is you can't mix the traffic manager URL and the Web App URLs.
The nonce cookie is set on the TM domain and the redirect back comes on a different domain. So the nonce cookie is not found.
So the URL the user sees in the address bar should be the same all the time. If they access the site over https://abc.trafficmanager.net
, then Azure AD needs to redirect them to https://abc.trafficmanager.net
after authentication. It must not use the azurewebsites.net URL at any time.
来源:https://stackoverflow.com/questions/49418562/requirenonce-is-true-default-but-validationcontext-nonce-is-null-in-azure-tr